diff --git a/bin/zopen-build b/bin/zopen-build index 3af489b38..ddb0f52a2 100755 --- a/bin/zopen-build +++ b/bin/zopen-build @@ -2507,6 +2507,9 @@ create_rpm() if [ -n "${rpm_deps}" ]; then cmd="${cmd} --requires \"${rpm_deps}\"" fi + if [ "${signPax}" = "true" ]; then + cmd="${cmd} --sign" + fi if ! runAndLog "${cmd}"; then printError "Could not generate RPM from \"${paxFileName}\"" fi diff --git a/bin/zopen-pax2rpm b/bin/zopen-pax2rpm index 823037b11..207d36d8d 100755 --- a/bin/zopen-pax2rpm +++ b/bin/zopen-pax2rpm @@ -40,6 +40,7 @@ PACKAGER_EMAIL="${CURRENT_USER}@$(hostname 2>/dev/null || echo "localhost")" # Build flag BUILD_RPM=false BUILD_BINARY_ONLY=false +SIGN_RPM=false BUILDROOT="${HOME}/rpmbuild" VALIDATE_SPEC=false DRY_RUN=false @@ -386,6 +387,85 @@ EOF return 0 } +# Function to sign generated RPMs +sign_rpm() { + set -x + echo "In sign_rpm" + pwd + buildroot="$1" + + # Check for required environment variables + if [ -z "${ZOPEN_GPG_SECRET_KEY_FILE}" ] || [ -z "${ZOPEN_GPG_SECRET_KEY_PASSPHRASE_FILE}" ]; then + printError "Signing requested but ZOPEN_GPG_SECRET_KEY_FILE or ZOPEN_GPG_SECRET_KEY_PASSPHRASE_FILE not set" + return 1 + fi + + echo "" + echo "==========================================" + echo "Signing RPM packages..." + echo "==========================================" + echo "" + + # Create a temporary directory for GPG keyring + TMP_GPG_DIR=$(mktempdir "rpm_gpg") + chmod 700 "${TMP_GPG_DIR}" + + OLD_GNUPGHOME="$GNUPGHOME" + export GNUPGHOME="$TMP_GPG_DIR" + RPM_LIST="" + + # Import the private key + echo "Importing private key..." + if ! gpg --batch --yes --import "${ZOPEN_GPG_SECRET_KEY_FILE}" >/dev/null 2>&1; then + printError "Failed to import GPG secret key" + fi + + # Identify the GPG key ID (long ID) + GPG_KEY_ID=$(gpg --list-secret-keys --with-colons | grep '^sec' | cut -d: -f5 | head -n 1) + if [ -z "${GPG_KEY_ID}" ]; then + printError "Could not identify GPG key ID from imported key" + fi + + # Create a wrapper script for gpg to handle the passphrase file + GPG_WRAPPER="${TMP_GPG_DIR}/gpg_wrapper.sh" + cat << EOF > "${GPG_WRAPPER}" +#!/bin/sh +gpg --batch --pinentry-mode loopback --passphrase-file "${ZOPEN_GPG_SECRET_KEY_PASSPHRASE_FILE}" "\$@" +EOF + chmod +x "${GPG_WRAPPER}" + + # Sign the RPMs using the wrapper and key ID + # We use --define to override the GPG command and key details + SIGN_CMD="rpmsign --addsign --key-id ${GPG_KEY_ID} \ + --define '_gpg_name ${GPG_KEY_ID}' \ + --define '__gpg ${GPG_WRAPPER}' \ + --define '_gpg_path ${TMP_GPG_DIR}'" + + # Use a temporary file to avoid subshell return issues + RPM_LIST=$(mktempfile "rpmlist") + find "$buildroot/RPMS" -name "*.rpm" -type f > "$RPM_LIST" + + if [ ! -s "$RPM_LIST" ]; then + printError "No RPM packages found to sign in $buildroot/RPMS" + fi + + while read rpm; do + [ -z "$rpm" ] && continue + echo "Signing $rpm..." + if ! eval "${SIGN_CMD} \"${rpm}\""; then + printError "Failed to sign RPM: $rpm" + fi + done < "$RPM_LIST" + + rm -f "$RPM_LIST" + rm -rf "$TMP_GPG_DIR" + [ -n "$OLD_GNUPGHOME" ] && export GNUPGHOME="$OLD_GNUPGHOME" || unset GNUPGHOME + + echo "✓ All RPMs signed successfully" + set +x + return 0 +} + # Function to setup rpmbuild directories setup_rpmbuild() { buildroot="$1" @@ -718,6 +798,11 @@ source_name=$(basename "$pax_file") done fi echo "" + + if [ "$SIGN_RPM" = true ]; then + sign_rpm "$buildroot" + fi + return 0 else echo "" @@ -840,6 +925,10 @@ main() { BUILD_BINARY_ONLY=true shift ;; + --sign) + SIGN_RPM=true + shift + ;; --buildroot) [ -n "$2" ] || { echo "Error: --buildroot requires a value" >&2; usage; } BUILDROOT="$2"